用户“ NT AUTHORITY\ANONYMOUS LOGON”的Web应用获取登录失败 [英] Web App getting Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'
问题描述
我看到很多人都遇到了这个错误,但是他们的处境似乎与我的有所不同。
I see that many people get this error, but their situations all appear a little different from mine.
我有一个ASP.NET 4.0 Web应用程序,可在Windows 2003 Server的IIS 6.0中运行。
I have a ASP.NET 4.0 web app that runs in IIS 6.0 on a Windows 2003 Server.
当我远程访问Web服务器框并登录那里并以 localhost 而不是通过计算机名称访问该站点时,该Web应用程序可以正常工作。但是,当我从另一台客户端计算机访问该网站时,出现以下错误:
When I Remote to the web server box and log on there and access the site as localhost rather than by machine name, the web app works fine. However, when I access the web site from another client machine, I get the following error:
Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'
该网站已打开Windows身份验证的匿名访问功能。该Web应用程序包含以下内容:
The web site has Anonymous access turned Windows Authentication turned on. The web app contains the following:
<authentication mode="Windows"> </authentication>
<identity impersonate="true"/>
<connectionStrings>
<add name="MyConnection" connectionString="Data Source=MyDbServer;Initial Catalog=MyDatabase;Integrated Security=True"
</connectionStrings>
我的Web服务器正在虚拟服务器上运行。这相关吗?
My web server is running on a Virtual Server. Is this relevant? I assume not.
请注意,如果在Impersonation = TRUE后在Web配置中添加我的domain\登录名和密码,则该站点可以正常工作。
Note that if I add my domain\login and password in the web config after Impersonation = TRUE, the site works.
推荐答案
听起来您正在遇到所谓的双跳问题,这是不信任服务器传递客户端的问题的地方凭据转移到另一个框(跃点1是IIS框的凭据,跃点2是从IIS框到SQL Server)。
It sounds like you're running into what's called a "double-hop" issue, which is where the server is not being trusted to pass the client's credentials on to another box (hop 1 is the credentials to the IIS box, hop 2 is from the IIS box to the SQL Server).
直接登录服务器时,不需要进行第二跳,因为它只是直接从客户端计算机(IIS服务器中的凭据)传递凭据。这种情况)直接发送到SQL Server。同样,如果SQL Server驻留在IIS框中,则也不会出现此错误,因为客户端只会向可以同时与IIS和SQL Server共享凭据的盒子发出一个请求。
When you're logged directly into the server, the second hop doesn't need to take place since it's just passing credentials directly from the client machine (the IIS server in this scenario) directly to the SQL Server. Likewise, if the SQL Server lived on the IIS box, you wouldn't have this error either, since the client would only be making the one request to a box that could share the credentials with both IIS and SQL Server.
要使委派工作,需要执行许多步骤,例如信任服务器进行委派,创建SPN并确保将其他适当的权限授予了IIS帐户。用于运行网站。有一篇technet文章可以帮助您完成许多必需的步骤:
https://docs.microsoft.com/zh-cn/archive/blogs/taraj/checklist-for-double-hop -issues-iis-and-sql-server
There are quite a few steps required to get the delegation to work, such as trusting the servers for delegation, creating SPNs and making sure that other proper permissions are given to the account that IIS is using to run the web site. There is a technet article that can help take you through a lot of the required steps here: https://docs.microsoft.com/en-us/archive/blogs/taraj/checklist-for-double-hop-issues-iis-and-sql-server
注意:,如果您使用的是NTLM而不是Kerberos(或其他)代理协议),它将不起作用,因为中间服务器(IIS服务器)需要具有可以传递的令牌。由于NTLM是基于协商的,因此无法正常工作。
Note: if you're using NTLM and not Kerberos (or another delegatable protocol), it will not work, as the middle server (the IIS server) needs to have a token that it can pass along. Since NTLM is based on negotiation, it won't work.
这篇关于用户“ NT AUTHORITY\ANONYMOUS LOGON”的Web应用获取登录失败的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
